infrahub-server 1.6.0__py3-none-any.whl → 1.6.1__py3-none-any.whl

infrahub/api/oauth2.py

@@ -12,10 +12,12 @@ from opentelemetry import trace
 from infrahub import config, models
 from infrahub.api.dependencies import get_db
 from infrahub.auth import (
+    SSOStateCache,
     get_groups_from_provider,
     signin_sso_account,
     validate_auth_response,
 )
+from infrahub.auth_pkce import compute_code_challenge, generate_code_verifier
 from infrahub.exceptions import ProcessingError
 from infrahub.log import get_logger
 from infrahub.message_bus.types import KVTTL
@@ -42,6 +44,7 @@ async def authorize(request: Request, provider_name: str, final_url: str | None
     with trace.get_tracer(__name__).start_as_current_span("sso_oauth2_client_configuration") as span:
         span.set_attribute("provider_name", provider_name)
         span.set_attribute("scopes", provider.scopes)
+        span.set_attribute("pkce_enabled", provider.pkce_enabled)
 
         client = AsyncOAuth2Client(
             client_id=provider.client_id,
@@ -52,14 +55,32 @@ async def authorize(request: Request, provider_name: str, final_url: str | None
     redirect_uri = _get_redirect_url(request=request, provider_name=provider_name)
     final_url = final_url or config.SETTINGS.main.public_url or str(request.base_url)
 
+    # Generate PKCE parameters if enabled
+    code_verifier = None
+    pkce_params: dict[str, str] = {}
+    if provider.pkce_enabled:
+        code_verifier = generate_code_verifier()
+        code_challenge = compute_code_challenge(code_verifier)
+        pkce_params = {
+            "code_challenge": code_challenge,
+            "code_challenge_method": "S256",
+        }
+
     authorization_uri, state = client.create_authorization_url(
-        url=provider.authorization_url, redirect_uri=redirect_uri, scope=provider.scopes, final_url=final_url
+        url=provider.authorization_url,
+        redirect_uri=redirect_uri,
+        scope=provider.scopes,
+        final_url=final_url,
+        **pkce_params,
     )
 
     service: InfrahubServices = request.app.state.service
 
+    cache_data = SSOStateCache(final_url=final_url, code_verifier=code_verifier)
     await service.cache.set(
-        key=f"security:oauth2:provider:{provider_name}:state:{state}", value=final_url, expires=KVTTL.TWO_HOURS
+        key=f"security:oauth2:provider:{provider_name}:state:{state}",
+        value=cache_data.model_dump_json(),
+        expires=KVTTL.TWO_HOURS,
     )
 
     if config.SETTINGS.dev.frontend_redirect_sso:
@@ -82,13 +103,15 @@ async def token(
     service: InfrahubServices = request.app.state.service
 
     cache_key = f"security:oauth2:provider:{provider_name}:state:{state}"
-    stored_final_url = await service.cache.get(key=cache_key)
+    cached_data = await service.cache.get(key=cache_key)
     await service.cache.delete(key=cache_key)
 
-    if not stored_final_url:
+    if not cached_data:
         raise ProcessingError(message="Invalid 'state' parameter")
 
-    token_data = {
+    sso_state = SSOStateCache.model_validate_json(cached_data)
+
+    token_data: dict[str, str | None] = {
         "code": code,
         "client_id": provider.client_id,
         "client_secret": provider.client_secret,
@@ -96,6 +119,10 @@ async def token(
         "grant_type": "authorization_code",
     }
 
+    # Add code_verifier if PKCE was used
+    if sso_state.code_verifier:
+        token_data["code_verifier"] = sso_state.code_verifier
+
     token_response = await service.http.post(provider.token_url, data=token_data)
     validate_auth_response(response=token_response, provider_type="OAuth 2.0")
 
@@ -139,5 +166,5 @@ async def token(
     )
 
     return models.UserTokenWithUrl(
-        access_token=user_token.access_token, refresh_token=user_token.refresh_token, final_url=stored_final_url
+        access_token=user_token.access_token, refresh_token=user_token.refresh_token, final_url=sso_state.final_url
     )

infrahub/api/oidc.py

@@ -14,10 +14,12 @@ from pydantic import BaseModel, HttpUrl
 from infrahub import config, models
 from infrahub.api.dependencies import get_db
 from infrahub.auth import (
+    SSOStateCache,
     get_groups_from_provider,
     signin_sso_account,
     validate_auth_response,
 )
+from infrahub.auth_pkce import compute_code_challenge, generate_code_verifier
 from infrahub.exceptions import ProcessingError
 from infrahub.log import get_logger
 from infrahub.message_bus.types import KVTTL
@@ -58,6 +60,10 @@ class OIDCDiscoveryConfig(BaseModel):
     tls_client_certificate_bound_access_tokens: bool | None = None
     mtls_endpoint_aliases: dict[str, HttpUrl] | None = None
 
+    @property
+    def supports_pkce(self) -> bool:
+        return "S256" in (self.code_challenge_methods_supported or [])
+
 
 def _get_redirect_url(request: Request, provider_name: str) -> str:
     """Return public redirect URL."""
@@ -74,10 +80,14 @@ async def authorize(request: Request, provider_name: str, final_url: str | None
     validate_auth_response(response=response, provider_type="OIDC")
     oidc_config = OIDCDiscoveryConfig(**response.json())
 
+    pkce_supported = oidc_config.supports_pkce
+
     with trace.get_tracer(__name__).start_as_current_span("sso_oauth2_client_configuration") as span:
         span.set_attribute("provider_name", provider_name)
         span.set_attribute("scopes", provider.scopes)
         span.set_attribute("discovery_url", provider.discovery_url)
+        span.set_attribute("pkce_enabled", provider.pkce_enabled)
+        span.set_attribute("pkce_supported", pkce_supported)
 
         client = AsyncOAuth2Client(
             client_id=provider.client_id,
@@ -88,12 +98,26 @@ async def authorize(request: Request, provider_name: str, final_url: str | None
     redirect_uri = _get_redirect_url(request=request, provider_name=provider_name)
     final_url = final_url or config.SETTINGS.main.public_url or str(request.base_url)
 
+    # Generate PKCE parameters if enabled and supported by provider
+    code_verifier = None
+    pkce_params: dict[str, str] = {}
+    if provider.pkce_enabled and pkce_supported:
+        code_verifier = generate_code_verifier()
+        code_challenge = compute_code_challenge(code_verifier)
+        pkce_params = {
+            "code_challenge": code_challenge,
+            "code_challenge_method": "S256",
+        }
+
     authorization_uri, state = client.create_authorization_url(
-        url=str(oidc_config.authorization_endpoint), redirect_uri=redirect_uri, scope=provider.scopes
+        url=str(oidc_config.authorization_endpoint), redirect_uri=redirect_uri, scope=provider.scopes, **pkce_params
     )
 
+    cache_data = SSOStateCache(final_url=final_url, code_verifier=code_verifier)
     await service.cache.set(
-        key=f"security:oidc:provider:{provider_name}:state:{state}", value=final_url, expires=KVTTL.TWO_HOURS
+        key=f"security:oidc:provider:{provider_name}:state:{state}",
+        value=cache_data.model_dump_json(),
+        expires=KVTTL.TWO_HOURS,
     )
 
     if config.SETTINGS.dev.frontend_redirect_sso:
@@ -116,13 +140,15 @@ async def token(
     service: InfrahubServices = request.app.state.service
 
     cache_key = f"security:oidc:provider:{provider_name}:state:{state}"
-    stored_final_url = await service.cache.get(key=cache_key)
+    cached_data = await service.cache.get(key=cache_key)
     await service.cache.delete(key=cache_key)
 
-    if not stored_final_url:
+    if not cached_data:
         raise ProcessingError(message="Invalid 'state' parameter")
 
-    token_data = {
+    sso_state = SSOStateCache.model_validate_json(cached_data)
+
+    token_data: dict[str, str | None] = {
         "code": code,
         "client_id": provider.client_id,
         "client_secret": provider.client_secret,
@@ -130,6 +156,10 @@ async def token(
         "grant_type": "authorization_code",
     }
 
+    # Add code_verifier if PKCE was used
+    if sso_state.code_verifier:
+        token_data["code_verifier"] = sso_state.code_verifier
+
     discovery_response = await service.http.get(url=provider.discovery_url)
     validate_auth_response(response=discovery_response, provider_type="OIDC")
 
@@ -183,7 +213,7 @@ async def token(
     )
 
     return models.UserTokenWithUrl(
-        access_token=user_token.access_token, refresh_token=user_token.refresh_token, final_url=stored_final_url
+        access_token=user_token.access_token, refresh_token=user_token.refresh_token, final_url=sso_state.final_url
     )
 
 

infrahub/auth.py

@@ -51,6 +51,17 @@ class AccountSession(BaseModel):
         return self.auth_type == AuthType.JWT
 
 
+class SSOStateCache(BaseModel):
+    """Cache data stored during OAuth2/OIDC authorization flow.
+
+    This model is used to store state information between the authorization
+    request and the token exchange, including PKCE code_verifier when enabled.
+    """
+
+    final_url: str
+    code_verifier: str | None = None
+
+
 async def validate_active_account(db: InfrahubDatabase, account_id: str) -> None:
     account = await NodeManager.get_one(db=db, kind=CoreGenericAccount, id=account_id, raise_on_error=True)
     if account.status.value != AccountStatus.ACTIVE.value:

infrahub/auth_pkce.py

@@ -0,0 +1,41 @@
+"""PKCE (RFC 7636) utilities for OAuth2/OIDC authentication.
+
+This module provides functions to generate code verifiers and compute
+code challenges for the Proof Key for Code Exchange (PKCE) extension.
+"""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import secrets
+
+
+def generate_code_verifier() -> str:
+    """Generate a cryptographically random code verifier.
+
+    The code verifier is a high-entropy cryptographic random string using
+    the unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~",
+    with a minimum length of 43 characters and a maximum length of 128
+    characters.
+
+    Returns:
+        A 43-character URL-safe string (256 bits of entropy).
+    """
+    return secrets.token_urlsafe(32)
+
+
+def compute_code_challenge(code_verifier: str) -> str:
+    """Compute S256 code challenge from verifier.
+
+    Implements the S256 code challenge method as defined in RFC 7636:
+    code_challenge = BASE64URL(SHA256(code_verifier))
+
+    Args:
+        code_verifier: The code verifier string.
+
+    Returns:
+        Base64URL-encoded SHA256 hash without padding.
+    """
+    digest = hashlib.sha256(code_verifier.encode("ascii")).digest()
+    return base64.urlsafe_b64encode(digest).decode("ascii").rstrip("=")

infrahub/config.py

@@ -585,11 +585,14 @@ class SecurityOIDCBaseSettings(BaseSettings):
     icon: str = Field(default="mdi:account-key")
     display_label: str = Field(default="Single Sign on")
     userinfo_method: UserInfoMethod = Field(default=UserInfoMethod.GET)
+    pkce_enabled: bool = Field(
+        default=True, description="Enable PKCE (RFC 7636) with S256 method for authorization code flow"
+    )
 
 
 class SecurityOIDCSettings(SecurityOIDCBaseSettings):
     client_id: str = Field(..., description="Client ID of the application created in the auth provider")
-    client_secret: str = Field(..., description="Client secret as defined in auth provider")
+    client_secret: str | None = Field(default=None, description="Client secret as defined in auth provider")
     discovery_url: str = Field(..., description="The OIDC discovery URL xyz/.well-known/openid-configuration")
     scopes: list[str] = Field(default_factory=_default_scopes)
 
@@ -637,13 +640,16 @@ class SecurityOAuth2BaseSettings(BaseSettings):
 
     icon: str = Field(default="mdi:account-key")
     userinfo_method: UserInfoMethod = Field(default=UserInfoMethod.GET)
+    pkce_enabled: bool = Field(
+        default=True, description="Enable PKCE (RFC 7636) with S256 method for authorization code flow"
+    )
 
 
 class SecurityOAuth2Settings(SecurityOAuth2BaseSettings):
     """Common base for Oauth2 providers"""
 
     client_id: str = Field(..., description="Client ID of the application created in the auth provider")
-    client_secret: str = Field(..., description="Client secret as defined in auth provider")
+    client_secret: str | None = Field(default=None, description="Client secret as defined in auth provider")
     authorization_url: str = Field(...)
     token_url: str = Field(...)
     userinfo_url: str = Field(...)

infrahub/core/branch/models.py

@@ -3,7 +3,6 @@ from __future__ import annotations
 import re
 from typing import TYPE_CHECKING, Any, Optional, Self, Union, cast
 
-from neo4j.graph import Node as Neo4jNode
 from pydantic import Field, field_validator
 
 from infrahub.core.branch.enums import BranchStatus
@@ -24,6 +23,8 @@ from infrahub.core.timestamp import Timestamp
 from infrahub.exceptions import BranchNotFoundError, InitializationError, ValidationError
 
 if TYPE_CHECKING:
+    from neo4j.graph import Node as Neo4jNode
+
     from infrahub.database import InfrahubDatabase
 
 
@@ -168,7 +169,7 @@ class Branch(StandardNode):
         )
         await query.execute(db=db)
 
-        return [cls.from_db(node=cast(Neo4jNode, result.get("n"))) for result in query.get_results()]
+        return [cls.from_db(node=cast("Neo4jNode", result.get("n"))) for result in query.get_results()]
 
     @classmethod
     async def get_list_count(

infrahub/core/changelog/models.py

@@ -290,7 +290,7 @@ class NodeChangelog(BaseModel):
                     name=relationship.schema.name
                 )
             relationship_container = cast(
-                RelationshipCardinalityManyChangelog, self.relationships[relationship.schema.name]
+                "RelationshipCardinalityManyChangelog", self.relationships[relationship.schema.name]
             )
 
             relationship_container.add_new_peer(relationship=relationship)
@@ -311,7 +311,7 @@ class NodeChangelog(BaseModel):
                     name=relationship.schema.name
                 )
             relationship_container = cast(
-                RelationshipCardinalityManyChangelog, self.relationships[relationship.schema.name]
+                "RelationshipCardinalityManyChangelog", self.relationships[relationship.schema.name]
             )
             relationship_container.remove_peer(
                 peer_id=relationship.get_peer_id(), peer_kind=relationship.get_peer_kind()

infrahub/core/graph/__init__.py

@@ -1 +1 @@
-GRAPH_VERSION = 46
+GRAPH_VERSION = 47

infrahub/core/integrity/object_conflict/conflict_recorder.py

@@ -24,7 +24,7 @@ class ObjectConflictValidatorRecorder:
             )
         except NodeNotFoundError:
             return []
-        proposed_change = cast(CoreProposedChange, proposed_change)
+        proposed_change = cast("CoreProposedChange", proposed_change)
         validator = await self.get_or_create_validator(proposed_change)
         await self.initialize_validator(validator)
 

infrahub/core/migrations/graph/__init__.py

@@ -48,6 +48,7 @@ from .m043_create_hfid_display_label_in_db import Migration043
 from .m044_backfill_hfid_display_label_in_db import Migration044
 from .m045_backfill_hfid_display_label_in_db_profile_template import Migration045
 from .m046_fill_agnostic_hfid_display_labels import Migration046
+from .m047_backfill_or_null_display_label import Migration047
 
 if TYPE_CHECKING:
     from ..shared import MigrationTypes
@@ -100,6 +101,7 @@ MIGRATIONS: list[type[MigrationTypes]] = [
     Migration044,
     Migration045,
     Migration046,
+    Migration047,
 ]